meteor allow rules

Question

I have a question on meteor's parties example.

If I call this code:

Parties.allow({
insert: function () {
    return true;
},

remove: function (){
    return true;    
},

update: function() {
    return true;    
}

});

everybody can do insert, remove and update. The code from the example is

Parties.allow({
 insert: function (userId, party) {
    return false; // no cowboy inserts -- use createPage method
 },
 update: function (userId, parties, fields, modifier) {
    return _.all(parties, function (party) {
    if (userId !== party.owner)
       return false; // not the owner

  var allowed = ["title", "description", "x", "y"];
  if (_.difference(fields, allowed).length)
    return false; // tried to write to forbidden field

  // A good improvement would be to validate the type of the new
  // value of the field (and if a string, the length.) In the
  // future Meteor will have a schema system to makes that easier.
     return true;
   });
 },
 remove: function (userId, parties) {
   return ! _.any(parties, function (party) {
     // deny if not the owner, or if other people are going
     return party.owner !== userId || attending(party) > 0;
   });
 }
});

So my question is where the variables useriD and party at this line for example

 insert: function (userId, party) {

are defined? Are these the variables I call in the method

 Meteor.call("createParty", variable1, variable2)

? But this wouldn't make sense because the client calls

 Meteor.call('createParty', {
    title: title,
    description: description,
    x: coords.x,
    y: coords.y,
    public: public
  }

I hope somebody can explain the allow functions to me? Thanks!

Answer 1

To understand allow/deny, you need to understand where the userId and doc parameters come from. (Just as in any function definition, the actual parameter names don't matter.) Looking just at the Parties insert example:

Parties.allow({

  insert: function (userId, party) {
     return false; // no cowboy inserts -- use createPage method
  }

});

The party parameter is the doc that's being inserted:

Parties.insert(doc);

The userId parameter is set automatically IF you're using the Meteor Accounts auth system. Otherwise, you have to set it yourself on the server. How do you do that?

In general, you call code on the server from the client by using Meteor.call(). Since there's no built-in API to set userId (other than Accounts), you have to write your own (goes in your server code):

Meteor.methods({

   setUserId: function(userId) {
       this.setUserId(userId);
   }

});

Then you can call it like this, anywhere in your client code:

Meteor.call('setUserId', userId);